Newsletters: Newsbites

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Imagine a new hybrid technology that merges the 'system cleaning' properties of traditional antispyware products with the efficiency of powerful antivirus-based technology. It's available with Sunbelt Counterspy Enterprise.

TOP OF THE NEWS

Mass. AG Releases Cyber Crime Plan (October 31, 2007)

The Office of the Massachusetts Attorney General has released the Massachusetts Strategic Plan for Cyber Crime. The plan is based on information gathered from a survey of law enforcement employees and a meeting with law enforcement officials. The plan's six priorities are to "Deliver law enforcement training; support and enhance cyber crime prevention and information sharing activities; develop and promote common operating procedures and standards; examine statewide digital forensic evidence processing requirements; secure funding for cyber crime programs; amend jurisdictional and substantive law." -http://www.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcn_daily&story.id=45318-http://www.mass.gov/Cago/docs/press/2007_10_25_cyber_crime_plan_attachment1.pdf[Editor's Note (Shpantzer): In my previous research into law enforcement's forays into digital forensics, one of the most problematic issues is the police career ladder that continually transfers an officer to different roles, without allowing for long-term specialization. A three year rotation of a digital forensics specialist into robbery investigation, for example, does not help an officer retain credibility on the witness stand in a computer crime case. One of the senior officers interviewed suggested a career track similar to that of the Army's Warrant Officer program, allowing for specialists to develop skills and competencies in the long term.]

Consumer Groups Call For Do Not Track List (November 1 & 2, 2007)

Consumer protection and privacy groups have proposed the creation of a "Do Not Track" list, similar to the "Do Not Call" list, which would allow individuals to say whether or not companies may track their web surfing. The plan would require advertisers that place cookies on users' computers to register all associated servers with the Federal Trade Commission (FTC). Internet companies want to know what sites users visit so they can target advertisements to those consumers. Interactive Advertising Bureau chief Randall Rothenberg opposes the idea; he is critical of legislation hindering industry innovation and is in favor of self-regulation. The proposal will be discussed at an FTC two-day public forum that began on Thursday, November 1. FTC commissioner Jon Leibowitz says the agency will exert more control over online advertising. Speaking at the forum on Thursday, Leibowitz said, "People should have dominion over their computers. The current 'don't ask, don't tell' in online tracking and profiling has to end." -http://www.washingtonpost.com/wp-dyn/content/article/2007/10/31/AR2007103101000_pf.html-http://www.sfgate.com/cgi-bin/article.cgi?file=/c/a/2007/11/01/BUL2T462K.DTL&amp;type=business-http://news.bbc.co.uk/2/hi/technology/7072653.stm-http://www.nytimes.com/2007/11/02/technology/001cnd-ftc.html?ei=5088&en=f562c58488150ad5&ex=135165600[Editor's Note (Pescatore): The concept of mirroring "Do Not Call" on the Internet makes sense but having advertisers register with a government agency certainly does not. There are other parts of the world implementing "Opt In" approaches - the industry should look at those to propose a self regulation approach, it is long overdue. It is really a no-brainer - most people continue to show that they will opt-in if it is a way to keep free web content free. If they don't opt-in, the services might carry a cost - that is the essential trade-off. (Schultz): Leibowitz is 100 percent correct. The fact that one can inject a program into another person's computer without any consent whatsoever is infathomable. Legislation against spyware should have been passed in the US a long time ago. ]

THE REST OF THE WEEK'S NEWS

LEGAL MATTERS

Woman Pleads Guilty in QVC Fraud Case (October 30, 2007)

A woman has pleaded guilty to wire fraud for exploiting a flaw in the QVC home shopping network website that allowed her to receive merchandise at no cost. Quantina Moore-Perry discovered that if she placed an order and then cancelled it immediately, the goods would still ship but she would not be charged. Moore-Perry will forfeit US $412,000 she made selling the merchandise on eBay. -http://www.theregister.co.uk/2007/10/30/website_fraud_guilty_plea/print.html[Editor's Note (Northcutt): Must be some sort of plea bargain, there is very little information to be had. The indictment is here, but it is the same information as all the stories: -http://www.usdoj.gov/usao/pae/News/Pr/2007/jul/mooreperry.html-http://www.usdoj.gov/usao/pae/News/Pr/2007/jul/mooreperry.pdf (Skoudis): This sounds like a race condition in the border between their technical implementation and physical business process. There are a huge number of these kinds of issues, which are very hard to find. If you have some spare time, you may want to brainstorm the hand-offs between technology and people in your organization to look for this kind of problem -- whether a quickly revoked transaction in your technology will truly be yanked back by the business process. (Shpantzer): Here we see the most basic application security overlooked on a multi-billion dollar e-commerce site. ]

HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY

Navy-Marine Corps Intranet administrators have deployed new, stronger security settings for BlackBerry devices used by Navy and Marine Corps personnel. The changes in the settings were made to protect against unauthorized access and to disable certain features and services that could compromise security, such as IM services and the GPS tracking feature. Users were notified of the changes, which were made via updates on the Navy's BlackBerry Enterprise Server. -http://www.gcn.com/online/vol1_no1/45301-1.html[Editor's Note (Pescatore): A lot of consumer-grade mobile devices do not support the necessary types of security policy, let alone group security management, that the military and others have been able to roll out. There is a lot of pressure to allow employee use of those consumer PDAs and smart-phones - if you can't implement and enforce security policy on the device, you have to have a strong content monitoring/data leak prevention capability to make sure you know what information is ending up on those devices. (Ullrich): This is a good move. In particular the tracking function is a double edged sword. While it's "nice to know" where everybody is, it's scary if some competitor / adversary knows where your people are. However, the Blackberries will still be traceable, using cell phone towers for triangulation. Just the precision is not as good as with GPS. ]

According to a report from the Commissioner for Law Enforcement Data Security, police in Victoria, Australia have misused the Law Enforcement Assistance Program (LEAP) database at least 26 times in the last year; 16 additional incidents are under investigation. The commissioner's post was created in 2005 after growing concerns about privacy violations and abuse of the LEAP database. In several cases, files containing information about hundreds of individuals were sent to people requesting their own information. The database is slated for replacement. -http://www.thewest.com.au/aapstory.aspx?StoryName=432134

[Editor's Note (Skoudis): This is such a common occurrence, and at best causes embarrassment, and at worse could jeopardize livelihoods. We all know we have to be careful, but human error is a constant problem. The problem could be significantly reduced if e-mail client software vendors very clearly separated in their GUI the CC and BCC lines, with visual clues to indicate which is which. Also, it would be helpful to have a little check-box configuration that, when enabled, would prompt me if I've just clicked send on a message with more than a dozen recipients in the "To" and "CC" boxes, just to make sure that I didn't mean to have them in the BCC. ]

Ivan Arce Interview (October 26, 2007)

Stephen Northcutt interviews Ivan Arce, CTO of CORE Security, about the recent update to their product to include web application testing. The interview covers the latest web attack techniques as well as Ivan's security philosophy. -http://www1.sans.edu/resources/securitylab/ivan_arce_core.php[Editor's Note (This is a really good interview. Ivan Arce is brilliant, and his analysis of what's important right now as well as his view of emerging trends in the infosec space are a must-read.):]

Track and monitor all access to network resources and cardholder data. It seems simple enough, but PCI requirement 10 can often get organizations into audit trouble. Your customers' card data gets stored, processed and transmitted at many other points besides devices on your corporate network. Log data from all these points needs to be collected and managed to build a strong foundation for your PCI compliance program. Do you even know where this data resides?

This monthly webcast discusses recent threats observed by the Internet Storm Center, and discusses new software vulnerabilities or system exposures that were disclosed over the past month. The general format is about 30 minutes of presentation by senior ISC staff, followed by a question and answer period.

Traditional defenses have proven to be less than effective at protecting your data where it lives - your valuable databases and applications. Although network and host-based security technologies can detect and prevent many common attacks, they often miss more sophisticated penetration attempts such as electronic fraud, insider theft and sabotage, and unauthorized access.=========================================================================

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.

Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.

Alan Paller is director of research at the SANS Institute

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore (MAS) and a handler for the SANS Institute's Internet Storm Center.

Chuck Boeckman is a Principal Information Security Engineer at a non-profit federally funded research and development corporation that provides support to the federal government.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Roland Grefer is an independent consultant based in Clearwater, Florida.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/